Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor.0Access, AV programs disabled, Google redirects


  • This topic is locked This topic is locked
17 replies to this topic

#1 Glenp

Glenp

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 08 October 2011 - 03:16 PM

Hi,

Thank you for this service. On October 5 2011 I was browsing the internet when AVG antivirus popped up and said threat detected. I didn't write down what it said but it gave a number. I also had popup, very official looking window security or firewall alert saying allow or don't allow access, I think of explorer.exe, I don't know if it was real or not, at the time I thought it was but now thinking it wasn't as although it looked official, I don't remember ever seeing it before. This popped up when I tried to run a program or even from IE. Then I noticed that a google search was redirected to a spammy looking page and I think the address was something like splendidsearchsystem dot com.
I then looked for my AVG in the taskbar and it was gone, also, there was no windows notification in the taskbar that I didn't have antivirus. I ran malwarebytes, it ran for a few seconds then shut down, then I couldn't run it again and the mbam.exe icon went from the normal malwarebytes icon to a blank .exe icon. Same thing happened with AVG icons. None of those blanked icons will run, they give a windows alert Windows cannot access the specified file, you may not have the right permissions. I booted into safemode and managed to reinstall malwarebytes and ran it and it found Backdoor.0Access and managed to remove it. However after rebooting into normal mode, all of the problems still existed. I tried running malwarebytes from here and it shut down after a few seconds and the icon became blank and wouldn't run again. Hijackthis also would not run but did run in safemode.

I have no gmer log as I could not successfully run it. I ran gmer in safe mode it found "Type ADS, Name c:\windows/2744192242:234057308.exe Value 816 bytes executable" along with some other items located in c:\windows\$NTUninstall/KB40016$
Then a popup came (after about 8-10 hours of running) saying it had found rootkit activity and the whole screen including mouse froze. I tried running gmer Not in safe mode, it again ran for 8-10 hours, I came back to the computer to BSOD with stop 0x0000008E(0xc000009A,0x804E566B,0xA3E715F0,0x00000000)

So I have no gmer log to provide.

Here is the dds log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Matt at 11:40:51 on 2011-10-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1429 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/xampp/htdocs/weblinks.htm
uWinlogon: Shell=c:\documents and settings\matt\local settings\application data\f20c91a3\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272136433093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\matt\application data\mozilla\firefox\profiles\czhq7nxs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-4-24 29416]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-24 136176]
S2 MotoHelper.exe;Motorola Helper;c:\program files\motorola\moto helper service\MotoHelper.exe [2010-9-15 8192]
S2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-10-22 210240]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2011-2-4 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-24 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2011-2-4 23424]
.
=============== Created Last 30 ================
.
2011-10-06 07:02:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-06 07:01:52 -------- d-----w- c:\program files\mbyt
2011-10-05 19:15:58 48016 --sha-w- c:\windows\system32\c_21341.nl_
2011-10-05 18:36:03 -------- d-sh--w- c:\documents and settings\matt\local settings\application data\f20c91a3
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-27 03:46:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-24 21:29:26 454656 ----a-w- c:\program files\putty.exe
1997-03-11 00:31:00 448512 ----a-w- c:\program files\fontlister.exe
.
============= FINISH: 11:41:06.46 ===============

Thank you,
Matt

Attached Files


Edited by Glenp, 08 October 2011 - 03:19 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:14 AM

Posted 09 October 2011 - 04:11 PM

Good evening. :)

Please download DummyCreator.zip by Farbar from here and save it to your Desktop - you will then need to unzip it.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the "Extraction Wizard" window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish.


  • Double click DummyCreator.exe to run the tool.
  • Copy and paste the following into the edit box:

    • c:\windows/2744192242
  • Click the Create button.
  • Make sure you have a copy of Result.txt that should appear once the tool has completed.
  • Important: Restart the computer and then let me have a copy of Result.txt in your next reply.

So long, and thanks for all the fish.

 

 


#3 Glenp

Glenp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 10 October 2011 - 03:04 AM

Thank you for your help. FYI, I have disconnected the infected system from the internet, so I am copying back and forth with a flash drive.

Result.txt is below:

DummyCreator by Farbar
Ran by Matt (administrator) on 10-10-2011 at 00:52:16
**************************************************************

c:\windows/2744192242 [10-10-2011 00:52:16]

== End of log ==

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:14 AM

Posted 10 October 2011 - 02:41 PM

Good evening. :)

Download Junction.zip by Mark Russinovich from here and save it to your Desktop - you'll need to unzip this one as well.

  • Copy and paste the file junction.exe into the Windows directory (C:\Windows).
  • Go to Start > Run..., copy the following into the textbox and click OK:

    • cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A Command Window will open and the tool will start scanning.
  • When it's done, a text file called log.txt will appear - i'd like a copy of that in your next reply.

So long, and thanks for all the fish.

 

 


#5 Glenp

Glenp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 10 October 2011 - 03:47 PM

Hello,

Here is log.txt


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\HijackThis\HijackThis.exe: Access is denied.


...

...

...
Failed to open \\?\c:\\Program Files\AVG\AVG10\avgtray.exe: Access is denied.



Failed to open \\?\c:\\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\ : Access is denied.




...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Malwarebytes\mbam.exe: Access is denied.


...

...


Failed to open \\?\c:\\Program Files\mbyt\mbam.exe: Access is denied.


...

...

...

...

...

..
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB40016$: Access is denied.


.

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790


Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.


\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.0.335.0__540d4816ead86321: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.1.31.0__540d4816ead86321: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.1.31.0_x-ww_8b778a47
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.1.31.0_x-ww_8b778a47

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.0.335.0__540d4816ead86321: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.1.31.0__540d4816ead86321: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.1.31.0_x-ww_46ee423f
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.1.31.0_x-ww_46ee423f

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:14 AM

Posted 10 October 2011 - 05:01 PM

Will you just check for me that all of the log got posted. If necessary, just delete some of the "..." lines as i'm only interested in the text.

So long, and thanks for all the fish.

 

 


#7 Glenp

Glenp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 10 October 2011 - 05:05 PM

Yes, that is the entire log. Shall I run the program again?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:14 AM

Posted 11 October 2011 - 02:57 PM

Good evening. :)

Nah, I just need to factor in an "end of file" notification to the results, so I can be sure that none are missed.

Please download GrantPerms.zip by Farbar from here and save it to your Desktop - you will then need to unzip it.

  • Run GrantPerms.exe and copy the following into the textbox:

    • c:\HijackThis\HijackThis.exe
      c:\Program Files\AVG\AVG10\avgtray.exe
      c:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin
      c:\Program Files\Malwarebytes\mbam.exe
      c:\Program Files\mbyt\mbam.exe
      c:\WINDOWS\$NtUninstallKB40016$
      c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
  • Click Unlock and when you are given the message "Unlock operation completed", click OK.
  • Click List Permissions to create a log of the actions - a copy will be saved as Perms.txt into the folder that GrantPerms.exe was run from.
  • I'd like you to copy and paste the contents of this textfile into your next reply.

So long, and thanks for all the fish.

 

 


#9 Glenp

Glenp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 11 October 2011 - 03:12 PM

Hello,

Here is Perms.txt

GrantPerms by Farbar
Ran by Matt at 2011-10-11 13:09:03

===============================================
ERROR: Parsing the SD of < c:\HijackThis\HijackThis.exe> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.
ERROR: Parsing the SD of < c:\Program Files\AVG\AVG10\avgtray.exe> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.
ERROR: Parsing the SD of < c:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.
ERROR: Parsing the SD of < c:\Program Files\Malwarebytes\mbam.exe> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.
ERROR: Parsing the SD of < c:\Program Files\mbyt\mbam.exe> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.
ERROR: Parsing the SD of < c:\WINDOWS\$NtUninstallKB40016$> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.
ERROR: Parsing the SD of < c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:14 AM

Posted 11 October 2011 - 04:43 PM

Will you repeat the last step using the following text -

\\?\c:\\HijackThis\HijackThis.exe
\\?\c:\\Program Files\AVG\AVG10\avgtray.exe
\\?\c:\\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\
\\?\c:\\Program Files\Malwarebytes\mbam.exe
\\?\c:\\Program Files\mbyt\mbam.exe
\\?\c:\\Program Files\mbyt\mbam.exe
\\?\c:\\WINDOWS\$NtUninstallKB40016$
\\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini

Let me have the report, as before.

So long, and thanks for all the fish.

 

 


#11 Glenp

Glenp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 11 October 2011 - 08:28 PM

I tried to run Grantperms.exe and it said "windows cannot access the specified device path or file. You may not have the appropriate permissions to access the item."

It also wont let me delete grantperms.exe, access is denied, make sure the disk is not full or write protected and that the file is not currently in use.

I then tried running a different copy of grantperms.exe from a different folder, it ran for about 1 second after I pasted the text into the box and closed. Then it gives the same above errors when I try to access or delete it again. I also tried a 3rd copy after renaming within the zip file and the same result.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:14 AM

Posted 12 October 2011 - 02:28 PM

Good evening. :)

Let's start with a fresh DDS log then.

So long, and thanks for all the fish.

 

 


#13 Glenp

Glenp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 12 October 2011 - 03:47 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Matt at 13:39:41 on 2011-10-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/xampp/htdocs/weblinks.htm
uWinlogon: Shell=c:\documents and settings\matt\local settings\application data\f20c91a3\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16
mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272136433093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\matt\application data\mozilla\firefox\profiles\czhq7nxs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-4-24 29416]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-24 136176]
S2 MotoHelper.exe;Motorola Helper;c:\program files\motorola\moto helper service\MotoHelper.exe [2010-9-15 8192]
S2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-10-22 210240]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2011-2-4 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-24 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2011-2-4 23424]
.
=============== Created Last 30 ================
.
2011-10-10 20:33:00 150392 ----a-w- c:\windows\junction.exe
2011-10-10 07:52:16 -------- d---a-w- c:\windows\2744192242
2011-10-06 07:02:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-06 07:01:52 -------- d-----w- c:\program files\mbyt
2011-10-05 19:15:58 48016 --sha-w- c:\windows\system32\c_21341.nl_
2011-10-05 18:36:03 -------- d-sh--w- c:\documents and settings\matt\local settings\application data\f20c91a3
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-27 03:46:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-24 21:29:26 454656 ----a-w- c:\program files\putty.exe
1997-03-11 00:31:00 448512 ----a-w- c:\program files\fontlister.exe
.
============= FINISH: 13:40:40.53 ===============

Attached Files



#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:14 AM

Posted 12 October 2011 - 03:53 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#15 Glenp

Glenp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 13 October 2011 - 02:24 AM

I tried to disable AVG antivirus and it would not allow temporary disable. I disabled every individual item in AVG that I could but AVG was still running and combofix said it was still running. I ran combofix and it seemed to run as it should. After it ran it, I opened AVG and tried to temp disable again and this time it let me. I then dropped the windows xp recovery file into the combofix icon to add windows recovery and then combofix ran again and wrote over the first log it created. I had previously looked at the log quickly it found many infected items and removed them. But all I have now is the 2nd combofix log which is below.

Computer not acting normal. Getting some messages:
avgrsx.exe corrupt file. the file or directory c/doc&settings/alluser/applicatoin data/avg10/log is corrupt and unreadable. Please run chkdsk utility.

also this message while combofix ran the 1st time: avg threat detected c:\thecfiz\CF29247.3xe (this is the name of the comboxfix file I put on the desktop, thecfiz). I told avg to ignore.

also just now got message avg threat detected c/program files/avg/avg10/avgrsx.exe
win32/katusha.a
detected an open
I told avg to remove threat.

computer is making sounds as if cpu is running intermittently.
Also, I was watching task manager running processes and all of the sudden DW20.exe appeared and used max cpu, then disappeared. This keeps happening.

Also, still can't delete grantperms.exe from the desktop.

At startup, after the desktop loads, there is a long delay of a couple minutes. Then the compputer reports that avg is not running and windows firewall is not on. I tried to turn on windows firewall but it won't do it.

Very sorry I do not have the first combofix log for you.

ComboFix 11-10-12.04 - Matt 10/12/2011 23:22:13.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1416 [GMT -7:00]
Running from: c:\documents and settings\Matt\Desktop\thecfiz.exe
Command switches used :: c:\documents and settings\Matt\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-13 to 2011-10-13 )))))))))))))))))))))))))))))))
.
.
2011-10-10 20:33 . 2011-10-10 21:10 150392 ----a-w- c:\windows\junction.exe
2011-10-06 07:02 . 2011-10-06 07:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-10-06 07:02 . 2011-10-06 07:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-06 07:02 . 2011-10-06 07:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch
2011-10-06 07:01 . 2011-10-06 07:01 -------- d-----w- c:\program files\mbyt
2011-10-05 19:54 . 2011-10-05 19:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-05 19:15 . 2011-10-06 08:00 48016 --sha-w- c:\windows\system32\c_21341.nl_
2011-10-05 18:36 . 2011-10-05 18:36 -------- d-sh--w- c:\documents and settings\Matt\Local Settings\Application Data\f20c91a3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 00:00 . 2010-04-25 18:53 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-27 03:46 . 2011-06-23 18:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-24 21:29 . 2010-04-24 21:29 454656 ----a-w- c:\program files\putty.exe
1997-03-11 00:31 . 2010-04-25 03:56 448512 ----a-w- c:\program files\fontlister.exe
2011-09-30 03:16 . 2011-05-05 23:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2006-11-21 106496]
"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2007-01-30 205744]
"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2007-01-30 103344]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"WD Button Manager"="WDBtnMgr.exe" [2010-04-25 331776]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxcjcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcjpswx.exe"=
"c:\\Program Files\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"12345:TCP"= 12345:TCP:Motorola Helper
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 5:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 248656]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R2 MotoHelper.exe;Motorola Helper;c:\program files\Motorola\Moto Helper Service\MotoHelper.exe [9/15/2010 12:33 AM 6656]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [10/22/2010 3:57 PM 210240]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 10:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 10:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 10:42 PM 27216]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 4:49 AM 297168]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [10/12/2011 11:01 PM 29416]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/18/2011 1:33 AM 7390560]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/24/2010 4:27 PM 136176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2/4/2011 12:43 PM 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/24/2010 4:27 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2/4/2011 12:43 PM 23424]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-24 23:27]
.
2011-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-24 23:27]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/xampp/htdocs/weblinks.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\czhq7nxs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-12 23:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCJCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-12 23:27:00
ComboFix-quarantined-files.txt 2011-10-13 06:26
ComboFix2.txt 2011-10-13 06:10
.
Pre-Run: 167,293,042,688 bytes free
Post-Run: 167,245,422,592 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3997288989FC562B9F6990FEEF2B75B5




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users